Overview of Vulnerability Response

With Vulnerability Response, you can compare the library of known vulnerabilities to find Configuration Items (CIs) with vulnerable software (as identified in the Asset Management module). The vulnerability data can be pulled from internal and external sources, such as the NVD.

For CIs with software affected by a vulnerability, you can create changes, problems, and security incidents. You can also view the library of Common Weakness Enumeration (CWE) records from the NVD to understand how they relate to the Common Vulnerability and Exposure (CVE) records. Knowledge articles associated with the CWEs are included for reference. As needed, you can update your system from the vulnerability databases on demand or by running user-configured scheduled jobs.

If the Qualys Vulnerability Integration plugin is activated and configured, Vulnerability Response can receive vulnerability data from the Qualys scanner in the form of vulnerabilities and vulnerable items. You can also assign and remediate groups of CIs in bulk.

Vulnerability Response terminology

The following terms are used in Vulnerability Response.
Term Definition
CVE Common Vulnerability and Exposure—a dictionary of publicly known information-security vulnerabilities and exposures.
CVSS Common Vulnerability Scoring System—an open framework for communicating the characteristics and severity of software vulnerabilities.
CWE Common Weakness Enumeration—a list of software vulnerabilities.
Discovery models Software models used to help normalize the software you own by analyzing and classifying models to reduce duplication.
Vulnerability calculators Calculators used to prioritize and categorize vulnerabilities based on user-defined criteria.
Vulnerability integrations A process that pulls report data from a third-party system, generally to retrieve vulnerability data.
Vulnerability entries Records of potentially vulnerable software downloaded from the National Institute of Standards and Technology (NIST) NVD.
Vulnerable items Pairings of vulnerable entries downloaded from the NIST NVD and potentially vulnerable configuration items and software in your company network.